Two servers used by an app for parents to monitor their teenagers' phone activity have exposed the account information of tens of thousands of parents and children.
The mobile app, TeenSafe, allows parents to track the smartphone usage of their children, including their social media interactions, web history, call logs, installed apps, and real-time location. According to the Los Angeles-based company behind the service, more than a million parents currently use the service.
U.K.-based security researcher Robert Wiggins found the exposed TeenSafe servers, leaking the passwords and information of some users of the monitoring service. Hosted on Amazon's AWS cloud, the data was left unprotected and accessible by anyone without a password.
The exposed database included information such as the parent’s email address, child’s Apple ID email address, device name, device unique identifier and passwords for the teenager’s Apple ID.
TeenSafe claims on its website that it encrypts data so that it wouldn’t be accessible in the case of the breach. However, the exposed data had been stored in plaintext form.
Even more concerning, TeenSafe requires that teenagers refrain from using two-factor authentication so parents can keep an eye on their activity. Now that their personal information has been exposed, those teenagers are even more vulnerable to malicious actors who can easily login using the exposed IDs and passwords, with multi-factor authentication disabled.
After informing TeenSafe of the issue, the company acted swiftly to fix it.
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” a TeenSafe spokesperson told ZDNet, who first broke the story.
According to ZDNet, the server held at least 10,200 records from the past three months containing customer data - though some were duplicates.
None of the records contained content data, such as photos or messages, or the locations of parents or children.
To confirm the authenticity of the data, ZDNet used iMessage to contact 12 parents whose details showed up on the server. While not everyone responded, those who did confirmed that the emails and passwords shown on the database were genuine.
While services like TeenSafe provide comfort for concerned parents, they also face criticism from privacy advocates.
TeenSafe suggests that a parent doesn’t even need to inform their child that they are using the service to monitor their activity. “Every parent’s situation is unique and only a parent can decide whether to inform their teen of their intent to use the [service]”, the company says on its website.
TeenSafe said it was continuing to assess the situation and "will provide additional information" as it becomes available.
Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.